Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

POV - Enterprise Security Canvas

36 views

Published on

A Point of View I created for effectively addressing the complexities of securing organizations of all sizes. This approach is complimentary and additive to traditional enterprise security models.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

POV - Enterprise Security Canvas

  1. 1. January 14, 2019 Enterprise Security Canvas A Value-at-Risk approach for making smart cybersecurity decisions ROBERT GREINER – POINT OF VIEW – 2019
  2. 2. 2 Pariveda Solutions, Inc. Confidential & Proprietary. You are not as secure as you think you are. Malicious actors are constantly probing for vulnerabilities within the global attack surface and enjoy the benefit of cutting edge innovation in exploiting systems. Stolen information used to gain access to Lockheed Martin VPN The full extent of the attack is still not known (250 million issued tokens) Attackers gained access to RSA’s network via Phishing attack High value information stolen, including SecurID seeds and database of serial numbers Additional hacking attempts targeted at defense contractors, breaking their understanding of secure systems RSA’s Highest Value-at-Risk “There are two types of companies: those that have been hacked, and those who don't know they have been hacked.” -John T. Chambers, Former CEO – Cisco Systems
  3. 3. 3 Pariveda Solutions, Inc. Confidential & Proprietary. Traditional security methods are only effective in bounded environments. Through the 20th century, the Defense-in-Depth approach was considered sufficient to secure the Enterprise. Today, organizations are enduring increasing volatility and difficulty as they attempt to apply bounded methods to unbounded environments – resulting in suboptimal outcomes. Traditional Defense-in-Depth Approach Technical Approach & Rooted in “Kinetic Defense” Enterprise Illustrative … But bounded environments don’t exist.
  4. 4. 4 Pariveda Solutions, Inc. Confidential & Proprietary. Suppliers Provider & Supplier Gap Customers Traditional Defense-in-Depth Approach Technical Approach & Rooted in “Kinetic Defense” Enterprise Customer & Product Gap Illustrative Integration Point Value-at-Risk Threat Organizations are exposed to increased risk as automation and connection points within a complex Value Network grow exponentially. Threat
  5. 5. 5 Pariveda Solutions, Inc. Confidential & Proprietary. Building a bigger moat is no longer sufficient to secure the Enterprise. Organizations are struggling to effectively secure the Enterprise as the ever-evolving complexity in the global threat landscape continues to expand and trend towards increased machine-to-machine automation, resulting in a macro-shift that is incompatible with legacy security methods. Trusted Partners Trusted Customers & Products Trusted Providers Enterprise Trustworthiness Implicit Trust (Risk) Value-at-Risk Global Attack Surface within Value Network Illustrative Volatility Uncertainty Complication Ambiguity
  6. 6. 6 Pariveda Solutions, Inc. Confidential & Proprietary. Public security incidents may cause increased security “fear spend” or make products less attractive to customers. To mitigate value destruction at scale, organizations must implement a security approach that considers players and interactions in the Value Net. SUPPLIERS COMPLEMENTORSCOMPETITORS CUSTOMERS ENTERPRISE Value network players complement each other as they improve their own security posture or provide products that enhance security. Suppliers must effectively steward privileged access to systems and data across players in the network. Customers must be protected from compromised products, theft of sensitive data, and disruption of services. Source: Co-opetition
  7. 7. 7 Pariveda Solutions, Inc. Confidential & Proprietary. Value Takers are malicious players that exploit and magnify VUCA and can’t be mitigated using legacy categorization-based security approaches. Updated Value Network Model (Complex Environment) VALUE TAKERS SUPPLIERS COMPLEMENTORSCOMPETITORS CUSTOMERS ENTERPRISE Exploits: Volatility Uncertainty Complication Ambiguity Steals / Destroys Value “Leaders who try to impose order in a complex context will fail, but those who set the stage, step back a bit, allow patterns to emerge, and determine which ones are desirable will succeed.” -David Snowden Cynefin Framework Sense Making Approach (Data Precedes Framework) Categorization Approach (Framework Precedes Data) Most security tools and approaches are limited to an Enterprise focus and do not account for all players and interactions within the Value Network
  8. 8. 8 Pariveda Solutions, Inc. Confidential & Proprietary. Due to the complexity inherent in the Value Net, organizations must orient themselves at a level of analysis appropriate for their security goals. Value Network Value Chain Enterprise Business Unit Business Unit Applications Systems (Human) Infrastructure Applications Suppliers Systems (Software) Process
  9. 9. 10 Pariveda Solutions, Inc. Confidential & Proprietary. Pariveda’s approach to security moves past the moat and castle. Organizations must adopt an approach to security that accounts for the volatility, uncertainty, complication, and ambiguity present at all levels in the Value Network. To accomplish this outcome, we recommend a triple-loop approach that evolves as the environment is probed for new insights. 01 02 03 04 05 1. ORIENT Leverage workshops and instruments to identify areas to explore in order to effectively manage risk within the Value Network. 2. PROBE Design and implement experiments aimed at gleaning critical information about the security environment. 3. SENSE Process data from experiments based on quantitative and probabilistic methods. 4. RESPOND Make decisions based on data gleaned from careful and quantitative experimentation. 5. REVISE & REPEAT Continually repeat, refresh, and evolve models and processes to further reduce risk within a complex environment. ✓ Loop 1 – Update decisions based on new information ✓ Loop 2 – Revise individual models and processes ✓ Loop 3 – Revise, refactor, and recreate the set of models and processes Pariveda’s Security Process Canvas
  10. 10. 11 Pariveda Solutions, Inc. Confidential & Proprietary. Our differentiated model enables effective security in complex domains. We have elevated the traditional Enterprise Security model across several dimensions, adapting to the current hyper-connected global threat landscape and creating an approach compatible with addressing future advancements in cyberthreats. Core Enterprise Security CanvasV T PS Leverage quantitative assessments of risk, paired with a bi-modal value assessment, in order to facilitate smarter cybersecurity decisions. Value-at-Risk Codify and automate critical security rules and infrastructure across the Enterprise. Consistent and reliable reporting and data architecture. Tooling & Automation Proactive assessments, investments, monitoring, analysis, and action to address security threats. Adaptive security methods based on monitoring. Proactive Security (Zero Trust) EP PC Pr Wide-spread training, education, and collaboration around security best-practices. Recurring rationalization of trusted connections. Ecosystem Partnership Leveling-up the security capabilities of humans in the Enterprise. Instill a culture of security minded humans with compatible metrics and measures. People-Centric Security Protect customers, partners, and the Enterprise against compromised physical products and devices (webcams, POS systems, etc.) Product Security
  11. 11. 12 Pariveda Solutions, Inc. Confidential & Proprietary. Organizations must define and quantify their Value-at-Risk and security posture in the Value Net in order to make smart cybersecurity decisions. VLeverage quantitative assessments of risk, paired with a bi-modal value assessment, in order to facilitate smarter cybersecurity decisions. Value-at-Risk
  12. 12. 13 Pariveda Solutions, Inc. Confidential & Proprietary. Bi-Modal Value & Risk Mapping Manage the dichotomy between the value the Enterprise sees in data and systems with the value hackers seek to exploit. Leverage quantitative risk analysis and decision making to maximize Return on Mitigation. Continuous Experimentation Continually develop and run experiments to reduce uncertainty and risk in security posture. Magnify experiments that work (e.g. Penetration Testing) and dampen experiments that don’t. Improve quantitative methods, metrics, and estimates to facilitate directionally correct cybersecurity decisions. Component-Level Value Reduction Re-architect datasets to create exponential reductions in value of instantiated/stored data without diminishing the composite value of data and systems across the Enterprise. Calibrated Value & Risk Assessment Leverage quantitative and probabilistic methods for measuring risk and uncertainty. Define Value-at-Risk through decomposing potential security incidents within Confidentiality, Integrity, and Availability commitments. Probe Path-to-Value Any pathway to valuable data is a constituent element of value – which is rarely attacked directly. Identify interconnected systems that rely on high-value data and assigned edge-and-node value. Pariveda’s Value-at-Risk approach helps organizations manage and reduce risk and uncertainty in complex environments. Pariveda’s Enterprise Approach to Value-at-Risk
  13. 13. 14 Pariveda Solutions, Inc. Confidential & Proprietary. VUCAWe have developed an Enterprise Security Canvas that improves the security posture of our clients. Enterprise Security Canvas Pariveda’s Enterprise Security Canvas provides a mechanism to develop and analyze uncertainty reducing experiments and socialize the results in order to make smarter cybersecurity decisions. Value-at-Risk Lens Illustrative
  14. 14. 15 Pariveda Solutions, Inc. Confidential & Proprietary. Enterprise Customers Suppliers Competitors Complementors Value Takers Confidentiality (Authorized Access) [A] Can I demonstrate unauthorized actors do not have access to confidential data and systems? [C] What are the costs of “penance programs” required to implement after a breach (e.g. credit monitoring)? [A] How is my organization exposed to risk due to a breached supplier (or vice-versa)? [A] Is my IP protected against corporate espionage? [U] What are my projected investigation costs after a breach? [A] Unauthorized access to confidential data and systems through Remotely Exploitable Vulnerabilities Integrity (System Accuracy) [A] Am I certain my data and systems have not been modified for unintended use? [C] Is customer data at risk of loss due to data backup policies? [C] Are indemnification & insurance provisions in place in the event of a security incident? [U] Are competitors given an advantage based on reputation loss due to a breach? [C] Are my operations protected and insured against financial theft? [U] Unauthorized modification of confidential data and systems Availability (Exposed Value) [V] Are the tools employees need to be productive hindered? Have I already been hacked? [V] Are my customers protected against critical system outages? [V] What are the impacts of manufacturing downtime due to an outage? [U] Are my customers impacted through dependencies in downstream systems? [U] Can a key partnership reduce the impact of critical system outages? [V] Critical services disrupted due to malicious activity impacting obligations throughout Value Net Non- Repudiation (Fulfilled Obligations) [U] What are the remediation costs associated with repairing impacted data and systems? [U] What is the impact associated with notifying affected parties of a breach? [C] Are security controls sending and validating receipt tokens from trusted sources? [A] Are my systems exposed to un-detected data changes in transit or at rest? [C] What is my exposure to legal liabilities and fines due to a data breach or non- compliance? [C] Actions taken in bad faith or with the intention of breaking an obligation yyy Enterprise Customers Suppliers Competitors Complementors Value Takers Confidentiality (Authorized Access) [A] Can I demonstrate unauthorized actors do not have access to confidential data and systems? [C] What are the costs of “penance programs” required to implement after a breach (e.g. credit monitoring)? [A] How is my organization exposed to risk due to a breached supplier (or vice-versa)? [A] Is my IP protected against corporate espionage? [U] What are my projected investigation costs after a breach? [A] Unauthorized access to confidential data and systems through Remotely Exploitable Vulnerabilities Integrity (System Accuracy) [A] Am I certain my data and systems have not been modified for unintended use? [C] Is customer data at risk of loss due to data backup policies? [C] Are indemnification & insurance provisions in place in the event of a security incident? [U] Are competitors given an advantage based on reputation loss due to a breach? [C] Are my operations protected and insured against financial theft? [U] Unauthorized modification of confidential data and systems Availability (Exposed Value) [V] Are the tools employees need to be productive hindered? Have I already been hacked? [V] Are my customers protected against critical system outages? [V] What are the impacts of manufacturing downtime due to an outage? [U] Are my customers impacted through dependencies in downstream systems? [U] Can a key partnership reduce the impact of critical system outages? [V] Critical services disrupted due to malicious activity impacting obligations throughout Value Net Non- Repudiation (Fulfilled Obligations) [U] What is the impact associated with notifying affected parties of a breach? [C] Are security controls sending and validating receipt tokens from trusted sources? [A] Are my systems exposed to un-detected data changes in transit or at rest? [C] Actions taken in bad faith or with the intention of breaking an obligation Enterprise Customers Suppliers Competitors Complementors Value Takers Confidentiality (Authorized Access) [A] Can I demonstrate unauthorized actors do not have access to confidential data and systems? [C] What are the costs of “penance programs” required to implement after a breach (e.g. credit monitoring)? [A] How is my organization exposed to risk due to a breached supplier (or vice-versa)? [A] Is my IP protected against corporate espionage? [U] What are my projected investigation costs after a breach? [A] Unauthorized access to confidential data and systems through Remotely Exploitable Vulnerabilities Integrity (System Accuracy) [A] Am I certain my data and systems have not been modified for unintended use? [C] Is customer data at risk of loss due to data backup policies? [C] Are indemnification & insurance provisions in place in the event of a security incident? [U] Are competitors given an advantage based on reputation loss due to a breach? [C] Are my operations protected and insured against financial theft? [U] Unauthorized modification of confidential data and systems Availability (Exposed Value) [V] Are the tools employees need to be productive hindered? Have I already been hacked? [V] Are my customers protected against critical system outages? [V] What are the impacts of manufacturing downtime due to an outage? [U] Are my customers impacted through dependencies in downstream systems? [U] Can a key partnership reduce the impact of critical system outages? [V] Critical services disrupted due to malicious activity impacting obligations throughout Value Net Non- Repudiation (Fulfilled Obligations) [U] What are the remediation costs associated with repairing impacted data and systems? [U] What is the impact associated with notifying affected parties of a breach? [C] Are security controls sending and validating receipt tokens from trusted sources? [A] Are my systems exposed to un-detected data changes in transit or at rest? [C] What is my exposure to legal liabilities and fines due to a data breach or non- compliance? [C] Actions taken in bad faith or with the intention of breaking an obligation Value Network SecurityCommitments Leveraging the Enterprise Security Canvas to decompose potential security incidents using a Value-at-Risk lens. Enterprise Security Canvas – Value Network Core Metaview Illustrative
  15. 15. 16 Pariveda Solutions, Inc. Confidential & Proprietary. Our security approach fills the gaps left by traditional risk-based methods. Traditional security measurement and decision methods, focusing on a low fidelity matrix of probability & impact, do not materially improve the organization’s ability to make smart security decisions. In fact, evidence suggests the risk matrix is no better than choosing investments at random. Traditional Risk-Based Methodology Enterprise Focused (McKinsey Example) Quantitative Method for Risk Value Network Focused (Pariveda’s Approach) What is more risky, 7 ”Mediums” or 1 “High”? How many “Medium” risks can I mitigate for $1MM? Based on our current security posture there is a 43% chance of exceeding a $3MM loss over the next 5 years. Complicated Environments Complex Environments Source
  16. 16. 17 Pariveda Solutions, Inc. Confidential & Proprietary. Where do I start? Pariveda’s Business Security Workshop helps our clients develop a practical understanding of quantitative Value-at-Risk measures and how to apply them to make smarter cybersecurity investment decisions. 9:30am9:00am 11:00am Welcome Introductions & Overview Value-at-Risk Value-at-Risk Approaches Exercise Shared Understanding of Risk Exercise Risk in Value Networks 2:00pm Detailed Workshop Overview Open • Kick-Off Workshop • Exercise Overview and Rules • Presentation Started • Exercise Overview and Rules • Kick-Off Next Steps Discussion KeyActivities • Introduce workshop attendees and facilitators • Discuss expectations and success criteria for the day • Build list of open security questions to answer throughout the day • Breakout sessions • Group collaboration and exercise • Develop a shared understanding of how to address risk • Improve calibration capabilities • Discuss and assess how traditional security approaches and risk measurements affect Value-at-Risk • Address open questions outlined in introductions • Understand residual objections • Group collaboration and exercise in breakout sessions • Develop perspective on risks associated with value networks • Presentation on decisions made • Vote on next steps • Orient on focus area • Validate perspectives generated during the workshop and agree on next steps • Improved dialog between security practitioners, technical leaders, and executive sponsors TopicsCovered • Introductions • Workshop Agenda & Logistics • Workshop Schedule • Workshop Ground Rules • How Did We Get Here? • Objective vs. Subjective Risk • Confidence Intervals • Calibrated Estimates • Complex vs. Complicated Environments (Cynefin) • Probe-Sense-Respond • The Moat is Obsolete • Traditional Risk Matrix Issues • Quantitative Risk Approaches • Bi-Modal Value-at-Risk • Anatomy of Target Breach • Value Networks & Risk • Business Risk Appetite • Quantitative Risk Expression • Loss Exceedance Curves • Measuring Uncertainty • Multi-Layer Value Net • ”5 Connections” - Decomposition • Additional Resources (curated list of items to assist after workshop is delivered) • Feedback from Group Collected (future workshop improvement) • List of Potential Next Steps Close • Lists Generated • Feedback & Debrief on Results • Answered Open Risk Questions • Feedback & Debrief on Results • Next Steps Defined & Agreed On Workshop Artifacts • List Success Criteria • List Open Questions to Answer • Completed Exercises • Provided Feedback on Results • Presentation Reference Materials Delivered (use after workshop) • Completed Exercises • Provided Feedback on Results • Focus Areas Defined (2-3) • Success Criteria Addressed Closing Next Steps & Resources 3:30pmBreak (15m) Lunch (60m) Break (30m) BusinessSecurityWorkshopAgenda
  17. 17. Target Case Study – The Anatomy of a Mega Breach
  18. 18. 21 Pariveda Solutions, Inc. Confidential & Proprietary. The impact of security breaches is amplified as humans leverage tools and devices. Physical Devices Software Tools Human Actors Humans targeting key assets using manual or social methods Devices compromised to steal sensitive information or use for unintended purposes. Tools leveraged to scan, exploit, and/or automate malicious activities. A coordinated phishing attack exposed sensitive emails for presidential candidate. Automated tools identified passwords that were not encrypted properly. POS devices compromised in order to steal credit card data.
  19. 19. 22 Pariveda Solutions, Inc. Confidential & Proprietary. You are not as secure as you think you are. As organizations become more connected they find themselves at increasing risk of cyberattack due to the implicit trust placed in customers and suppliers within a complex value ecosystem. In addition, the scale and sophistication of cyberattacks is growing rapidly, compounding the problem. Scale & Sophistication of Attacks Impact&AmplitudeofSecurityBreaches Damagelimited tothescaleofan individual. Impactexpandedto adjacenttrusted connections. Impactsendsripple effectthroughout connectedecosystem. Human Actors Software Tools Physical Devices Human Actors Software Tools Human Actors Notable Security Breaches
  20. 20. 23 Pariveda Solutions, Inc. Confidential & Proprietary. Target’s recent breach reveals the need for a holistic security approach. Attackers penetrated Target’s network and ultimately infected their point-of-sale systems with malware. As a result, 70 million customer records and 40 million credit card numbers were captured and exfiltrated to Russia over an thirty-day period before the breach was closed. Business Technical Product People Structure Process Applications Frameworks Infrastructure Suppliers Products Customers CEO Resigned Weak access control policies (vendors) Target network accessed using stolen credentials Phishing attack targeted HVAC contractor Credit card and customer data sold ~$500 million total impact FireEye tool misconfigured (auto delete) Attackers attempt to access Target network remotely Target quarantined malware Target implemented FireEye tool (6 months before) Keylogging software installed on contractor machine Security alerts ignored (signal over noise) Target network probed for vulnerabilities Malware installed on POS systems (RAM Scanner) Activity noticed by Israeli security firm $100 million investment in security upgrade Weak network segmentation left systems open File/Web server compromised (custom code) POS Systems not security hardened Target network account credentials stolen Security software flagged malware Credit card and customer data exfiltrated-file server Target Source Human Actors Human Actors Software Tools Human Actors Software Tools Physical Devices Threat 12 3 4 5 6 7 8 9 14 18 17 13 19 20 21 22 12 15 11 10 16 Target’s Mega Breach
  21. 21. 24 Pariveda Solutions, Inc. Confidential & Proprietary. Target’s recent breach reveals the need for a holistic security approach. Attackers penetrated Target’s network and ultimately infected their point-of-sale systems with malware. As a result, 70 million customer records and 40 million credit card numbers were captured and exfiltrated to Russia over an thirty-day period before the breach was closed. Business Technical Product People Structure Process Applications Frameworks Infrastructure Suppliers Products Customers CEO Resigned Weak access control policies (vendors) Target network accessed using stolen credentials Phishing attack targeted HVAC contractor Credit card and customer data sold ~$500 million total impact FireEye tool misconfigured (auto delete) Attackers attempt to access Target network remotely Target quarantined malware Target implemented FireEye tool (6 months before) Keylogging software installed on contractor machine Security alerts ignored (signal over noise) Target network probed for vulnerabilities Malware installed on POS systems (RAM Scanner) Activity noticed by Israeli security firm $100 million investment in security upgrade Weak network segmentation left systems open File/Web server compromised (custom code) POS Systems not security hardened Target network account credentials stolen Security software flagged malware Credit card and customer data exfiltrated-file server Target Source Human Actors Human Actors Software Tools Human Actors Software Tools Physical Devices Threat 12 3 4 5 6 7 8 9 14 18 17 13 19 20 21 22 12 15 11 10 16 Value-at-Risk not aligned with business processes or codified in tools People lacked security know-how to manage expensive tools Insufficient vendor security monitoring & accountabilities Target’s Mega Breach
  22. 22. 25 Pariveda Solutions, Inc. Confidential & Proprietary. Target’s established security methods provided a false sense of protection. Target had a limited view of their security posture, resulting in unknown gaps that were eventually exploited at great cost to the organization. Most security tools and frameworks are product-focused and fail to create a comprehensive view of the risk landscape facing organizations. Business Targeting People Technical Targeting Apps & Infrastructure Product Targeting Products & Suppliers People Structure Process Applications Frameworks Infrastructure Suppliers Products Customers Does the organization foster a culture of personal accountability and awareness? RACI defined & communicated across the organization with measures & expectations? Is employee and contractor security training established, executed, and refreshed? Are compliance and audit requirements regularly reviewed and achieved? Is it easy for customers and employees to discern authentic communication? Are the organization’s people augmented with capable and easy to use security tooling? Is active threat monitoring implemented with automated actions/alerting? Are organization’s products adequately secure and updatable if needed? Are customers protected from misbehaving products? Firewall implemented and configured to restrict external access? Are static and dynamic security scans implemented internally and externally? Target Source Human Actors Human Actors Software Tools Human Actors Software Tools Physical Devices Illustrative – Hypothesis View FireEye industry leading security and threat management tool - Partial DIY implementation
  23. 23. 26 Pariveda Solutions, Inc. Confidential & Proprietary. However, Target’s fractional perspective resulted in unidentified gaps. A more complete hypothesis-view of Target’s threat landscape prior to their breach identifies several critical areas that were left unaddressed. High Risk Business Targeting People Technical Targeting Apps & Infrastructure Product Targeting Products & Suppliers People Structure Process Applications Frameworks Infrastructure Suppliers Products Customers Does the organization foster a culture of personal accountability and awareness? RACI defined & communicated across the organization with measures & expectations? Is employee and contractor security training established, executed, and refreshed? Is organization equipped with the technical know-how to leverage security tools? Are compliance and audit requirements regularly reviewed and achieved? Comprehensive systems, data, & infrastructure documentation with security definitions? Taking responsibility to level-up security of 3rd party vendors and suppliers? Is organization socializing security best practices within the connected ecosystem? Is it easy for customers and employees to discern authentic communication? Are the organization’s people augmented with capable and easy to use security tooling? Is security evaluated using a Value-at-Risk approach with associated priorities? Are security outcomes codified using top-down focus on business objectives? Are security alerts and associated thresholds actively managed? Is principle of least privilege the default security method, with a trust-but- verify implementation? Is active threat monitoring implemented with automated actions/alerting? Are common best practices coordinated with partners including expectations and contracts? Are organization’s products adequately secure and updatable if needed? Are customers protected from misbehaving products? Is security evaluated using a Value-at-Risk approach with associated priorities? Are investments in cybersecurity effectively placed based on holistic security landscape and value chain? Are secure onboarding and offboarding procedures documented and automated? Is data adequately sharded and protected in- flight and at- rest? Is Identity and Access Management fully defined and implemented across the org? Is the network appropriately segmented across various systems of value? Is the risk of implicit trust relationships within the ecosystem adequately mitigated? Are static and dynamic security scans implemented internally and externally? Are risks and vulnerabilities mitigated within the value-chain through suppliers and customers? Target Source Human Actors Human Actors Software Tools Human Actors Software Tools Physical Devices Medium Risk Low RiskLegend: High Value-at-Risk Example Enterprise Security Canvas Executive Summary Illustrative – Hypothesis View
  24. 24. 27 Pariveda Solutions, Inc. Confidential & Proprietary. Target would have avoided catastrophe if the Security Canvas was used. As organizations adopt and evolve the Enterprise Security Canvas, they will more effectively prevent malicious or unintentional actions required for successful exploits to occur. Ultimately, resulting in a more effective and future-proof security posture. Business Technical Product People Structure Process Applications Frameworks Infrastructure Suppliers Products Customers CEO Resigned Weak access control policies (vendors) Target network accessed using stolen credentials Phishing attack targeted HVAC contractor Credit card and customer data sold ~$500 million total impact FireEye tool misconfigured (auto delete) Attackers attempt to access Target network remotely Target quarantined malware Target implemented FireEye tool (6 months before) Keylogging software installed on contractor machine Security alerts ignored (signal over noise) Target network probed for vulnerabilities Malware installed on POS systems (RAM Scanner) Activity noticed by Israeli security firm $100 million investment in security upgrade Weak network segmentation left systems open File/Web server compromised (custom code) POS Systems not security hardened Target network account credentials stolen Security software flagged malware Credit card and customer data exfiltrated-file server Target Source Human Actors Human Actors Software Tools Human Actors Software Tools Physical Devices Threat Supplier Gap 12 3 4 5 6 7 8 9 14 18 17 13 19 20 21 22 12 15 11 10 16 Process GapPeople Gap Could have been prevented if Canvas was used
  25. 25. Appendix
  26. 26. 29 Pariveda Solutions, Inc. Confidential & Proprietary. “There are two types of companies: those that have been hacked, and those who don't know they have been hacked.” -John T. Chambers, Former CEO – Cisco Systems How do I gain insight into the big picture with a holistic security view? How can I manage 3rd party risk within the Cyber Supply Chain? How do I manage the human factor? How do I manage business risk with a top-down approach? How will global compliance and regulations affect the organization? What CISOs are Asking Source: CSOonline
  27. 27. 30 Pariveda Solutions, Inc. Confidential & Proprietary. The ripple effects of breaches are amplified within a connected ecosystem. Due to the trusted nature of data transactions between organizations, their customers, and products, attackers frequently impact companies that are participants in the connected ecosystem, resulting in a cascade of consequences that is difficult to contain and quantify. Malicious actors are constantly probing for security gaps Private account details exposed for 50-90 million Facebook users Facebook, and their partners, do not understand the full impact of this breach Attackers discovered multiple vulnerabilities in Facebook’s app Exploit granted attackers security token for any Facebook user Security token was potentially used to gain access to over 100 sites using Facebook login
  28. 28. 31 Pariveda Solutions, Inc. Confidential & Proprietary. Security incidents are growing at an unprecedented rate. Organizations are scrambling to respond to the unprecedented growth in the level and severity of security incidents. As a result, security investments increase as public breaches are disclosed with limited insight into the effectiveness or total cost of security implementations. 35xSecurity investments increase as public breaches are disclosed. ~$1 trillion over next 5 years. Cybersecurity spend is up 365Attackers seek to avoid detection through slowly siphoning data from networks, increasing MTTI. Detecting a major breach takes one year 90%Studies show over 90% of breaches that affect over 1 million records are criminal or malicious in nature. Virtually all mega breaches are malicious 30%30% of organizations experience a recurring material breach over the next 24 months. Recurring breaches are likely Disruptionof Operations Confounding cost factors – security breach *Total cost of breaches are frequently underreported Cybercrime damages will exceed an estimated $6 trillion* worldwide by 2021 41%Security spend is mostly reactive. 41% of companies feel their application security is sufficient. Security spending is reactive
  29. 29. 32 Pariveda Solutions, Inc. Confidential & Proprietary. Business Targeting People Technical Targeting Apps & Infrastructure Product Targeting Products & Suppliers People Structure Process Applications Frameworks Infrastructure Suppliers Products Customers Confidentiality (Authorized Access) Are humans trained on regularly updated and proper data handling policies and procedures? Are organizational units only given access and privileged access required to perform their role? Are clear guidelines and policies created to govern and audit the access of sensitive information? Are the interactions and data across custom, 3rd party, and SaaS applications adequately quarantined? Are unauthorized agents prohibited from accessing sensitive data through system architecture, design, and controls? Are production systems only accessible through an automated approval workflow? Are suppliers given adequate privileged access to data and systems in order to meet their requirements? Are customers, employees, partners, and competitors shielded from sensitive product data and features? Are customer accounts only viewable by authorized agents in a transparent manner? Integrity (System Accuracy) Is the organization protected against human error when accessing key systems or disclosing sensitive data? Are downstream controls in-place to detect fraudulent activity across departments (e.g. finance/audit)? Are processes defined and followed to detect unauthorized activity or modification of data and systems? Are Value Network activities monitored and validated using automated tools and manual review processes? Is data encrypted in-flight and at- rest throughout all repositories and transactions? Are the data center and associated SaaS integrations monitored for unauthorized modification of data and systems? Is there a clear and transparent transaction agreement and catalog between the enterprise and suppliers? Are product exchanges and interactions validated across both parties? Are customer accounts protected against improper destruction or modification of their private information? Availability (Exposed Value) Are transactions between humans and systems monitored and audited for unusual behavior? Are backup measures in place to facilitate business continuity in the event of a security incident? Are tools employees need to be productive being hindered by unnecessary or redundant security controls? Are critical integration points protected through automated disaster recovery and backup processes (RTO/RPO) Are cybersecurity implementation decisions weighed against availability and performance of production systems? Are systems protected against malicious service disruption actions and threats (e.g. DDoS)? Are suppliers given adequate and timely access to data and systems in order to fulfil their commitments? Are products setup to continue functioning when disconnected from key resources? Can customers access and use data and functionality in a timely and reliable manner? We have developed an Enterprise Security Canvas that helps improve the security posture of our clients through a Value Network lens. SecurityCommitments Enterprise Enterprise Security Canvas – High-Level Questionnaire (EAF Lens)
  30. 30. 33 Pariveda Solutions, Inc. Confidential & Proprietary. Calibrated Value & Risk Assessment requires decomposition of potential security incidents across the value Network using quantitative methods. Illustrative Decompose and Estimate Impact Update Exposed Risk Over Time 1. Leverage Enterprise Security Canvas to decompose potential security impacts top-down. 2. Apply quantitative estimates (90% Confidence Interval) of Probability of Occurrence and Expected Loss. 4. Update probabilities using Bayesian Analysis as we collect more data about our security posture over time. Baseline Risk vs. Tolerance & Socialize 3. Combine quantitative analysis methods and simulation ranges to report potential losses vs. business risk appetite.
  31. 31. 34 Pariveda Solutions, Inc. Confidential & Proprietary. The Situation Attackers gained access to Target’s network through a malware exploit aimed at an HVAC supplier and stole privileged credentials used to remotely support heating and air systems. Attackers gained direct access to user accounts through exploit in “View As” feature, generating authentication tokens for unauthorized attackers. Attackers gained access to online dispute portal, which ultimately granted access to other servers within Equifax’s network. Attackers used stolen credentials from a 3rd party vendor to access Home Depot’s network and install malware on POS machines to steal credit card information. The Result 40 million customer debit and credit cards compromised 50-90 million user account details compromised 150 million account details compromised containing personal data 56 million credit card numbers and 53 million email addresses stolen Financial Impact $420,000,000 TBD > $1B $439,000,000 $633,000,000 Other Impact • Settled lawsuits from 48 states • Senate hearing • GDPR fines • Lost contract with IRS • Ongoing investigation FTC • Settle lawsuit with banks • Class action customer lawsuit Root Cause • Poor password management practices • Insecure vendor access policies • Multiple application defects exploited • Inside knowledge required • Insufficient logging and auditing • Identification & Detection failure • Lack of proper data governance • Production patching policies • Poor network segmentation • Lack of IAM policies • Encryption and Antivirus missing Key Finding “Once inside Target’s network, there was nothing to stop attackers from gaining direct and complete access to every single cash register in every Target store.” Facebook does not have insight into who is responsible for the attack or the extent to which accounts were compromised – including 100+ 3rd party sites leveraging Facebook login. Attackers exploited a well known server vulnerability after publicly scanning the internet. Security experts agree this was an “easy hack” that had extreme consequences. All of the tools and methods for the Home Depot breach are commonly available online, creating a low barrier of entry to orchestrate sophisticated attacks on large companies. Security breaches don’t just affect technology companies. As organizations become more connected and continue to increase the size and types of data captured on their customers, the impact and long-term damage of security breaches will continue to grow. Organizations that experience a security breach also face hidden costs: reputational harm, business disruption, and loss of data.
  32. 32. 35 Pariveda Solutions, Inc. Confidential & Proprietary. Pariveda’s Enterprise Architecture Framework BUSINESS ARCHITECTURE TECHNICAL ARCHITECTURE S T R A T E G Y PEOPLE STRUCTURE PROCESS APPLICATIONS FRAMEWORKS INFRASTRUCTURE
  33. 33. 36 Pariveda Solutions, Inc. Confidential & Proprietary. Pariveda –illities Framework Criteria Description Example Sub-Criteria Business Functionality Solution’s ability to deliver its required capabilities and meet the business needs ► Specific Features ► Reporting ► Specific Requirements ► Error Handling Usability User’s productivity when working with the solution ► Assistance ► Learnable ► Modular ► Productive ► Structured Affordability Solution’s overall cost including acquisition and on-going maintenance ► Hardware Costs ► Licensing Costs ► Implementation Costs ► Support Costs ► Training Costs Technical Maintainability Level of effort required to keep solution running while in production including problem resolution and ongoing support ► Manageable ► Operable ► Recoverable ► Analyzable ► Testable ► Upgradeable Flexibility Solution’s ability to accommodate additional business processes or changes in functionality ► Adaptable ► Configurable ► Maneuverable ► Modifiable Scalability Solution’s ability to support additional users while meeting quality of service goals ► Capacity ► Throughput ► Resource Utilization ► Response Time ► Reliability Interoperability Solution’s ability to interact effectively with other systems or components ► Integration Protocol ► Loosely Coupled ► Tiered ► Legislative Compliance Security Solution’s ability to prevent unauthorized disclosure, loss, modification or use of its data or functionality ► Access Control ► Encryption ► Secure Design ► Auditability ► Authentication Compatibility Solution’s conformance with existing and emerging infrastructure with internal and external standards ► Standards Based ► Internal Tool Support ► Internal Skill Set Vendor Prominence Perception of the vendor in the marketplace ► Industry Support ► Market Share ► Maturity ► Product Viability ► Vendor Stability Experience Vendor’s familiarity in delivering solutions to similar organizations and with similar topical focus ► Established Practice by Topic ► Industry Experience ► Focus Area Expertise Capabilities Vendor’s skills both in developing pertinent solutions and positioning their clients for future success ► Depth of Skills by Topic ► Knowledge Transfer and Training ► IC Reuse and Limitations Community Vendor’s alignment with client’s culture ► Local Presence ► Cultural Fit ► Community
  34. 34. 37 Pariveda Solutions, Inc. Confidential & Proprietary. Security enablement within software development/QA process. As the Enterprise Security Canvas is broken down into more granular chunks, we ensure comprehensive coverage across key value-delivery activities within the Enterprise. The following example outlines a QA approach with security included as a first-class citizen for a major client. 37 Low-level unit tests that drive code coverage at the developer level Static and dynamic security and code quality scans through tooling Automated integration and API tests that validate service-level features Automated tests that drive features through the front-end UI Manual business-focused testing that simulates end-user interactions UI Tests Integration & API Quality & Security Unit Tests Exploratory Business Dev Selenium Key Tools
  35. 35. 38 Pariveda Solutions, Inc. Confidential & Proprietary. Maturing the SDLC: Target Improvement Stages Reactive response to issues identified outside of the group, no formal process. Activities are not documented or repeatable. Clearly outlined security checkpoints as defined steps in SDLC and ongoing operations. Business stakeholders understand security as a process step to be crossed before work can continue. Security is integrated into the complete SDLC. Practitioners part of backlog grooming, prioritization, delivery, validation, and deployment stages. Security more than just a “checkpoint” but a thoughtful dialogue. Targeted investments in technology and processes to reduce the cost/effort of achieving desired security outcomes. Business stakeholders and dev teams achieve balance in discussion by reducing the perceived ‘false choice’ between security and functionality. Adhoc Minimum Expectation Defined Process Integrated to Delivery Optimization Quality Circles Stage 0 Stage 1 Stage 2 Stage 3 Stage 4 Clearly defined security requirements and accountable role on team. Team performs spot- checks on applications. Business understands security accountability the team has and is aligned.
  36. 36. 39 Pariveda Solutions, Inc. Confidential & Proprietary. Cynefin Framework & VUCA https://hbr.org/2007/11/a-leaders-framework-for-decision-making https://hbr.org/2014/01/what-vuca-really-means-for-you
  37. 37. 40 Pariveda Solutions, Inc. Confidential & Proprietary. ▪ https://gizmodo.com/facebook-could-face-up-to-1-63-billion-fine-for-latest-1829426100 ▪ https://resources.infosecinstitute.com/defense-in-depth-is-dead-long-live-defense-in-depth/#gref ▪ https://www.nist.gov/cyberframework/online-learning/five-functions ▪ https://www.scrypt.com/blog/average-cost-data-breach-2017-3-62-million/ ▪ https://cybersecurityventures.com/cybersecurity-market-report/ ▪ http://www.morganstanley.com/ideas/cybersecurity-needs-new-paradigm ▪ https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/staying-ahead-on-cyber-security ▪ https://www.mckinsey.com/business-functions/risk/our-insights/a-new-posture-for-cybersecurity-in-a-networked-world ▪ https://www.mckinsey.com/business-functions/risk/our-insights/insider-threat-the-human-element-of-cyberrisk ▪ https://www.investors.com/news/technology/security-freeze-giants-ibm-cisco-squeeze-palo-alto-check-point/ ▪ https://www.sans.org/reading-room/whitepapers/analyst/paper/36697 ▪ https://www.amazon.com/How-Measure-Anything-Cybersecurity-Risk/dp/1119085292/ ▪ https://www.digitalcommerce360.com/2018/09/04/the-cost-of-a-u-s-data-breach-7-91-million/ ▪ https://www.tenable.com/blog/transforming-security-from-defense-in-depth-to-comprehensive-security-assurance ▪ https://www.sans.org/reading-room/whitepapers/warfare/paper/33896 ▪ https://www.sans.org/reading-room/whitepapers/dlp/data-breach-impact-estimation-37502 ▪ https://newsroom.ibm.com/2018-07-11-IBM-Study-Hidden-Costs-of-Data-Breaches-Increase-Expenses-for-Businesses ▪ https://www.ibm.com/security/data-breach/ ▪ https://www.securityweek.com/defense-depth-has-failed-us-now-what ▪ https://www.csoonline.com/article/2124452/identity-access/where-defense-in-depth-falls-short.html ▪ https://www.sans.org/reading-room/whitepapers/warfare/defense-depth-impractical-strategy-cyber-world-33896 ▪ https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html ▪ https://motherboard.vice.com/en_us/article/8q8dab/15-million-connected-cameras-ddos-botnet-brian-krebs ▪ https://people.carleton.edu/~carrolla/index.html ▪ https://www.csoonline.com/article/3256147/security/what-s-on-cisos-minds-in-2018.html ▪ https://www.amazon.com/Co-Opetition-Adam-M-Brandenburger/dp/0385479506 ▪ https://www.amazon.com/How-Measure-Anything-Intangibles-Business/dp/1118539273/ References

×